Fortinet has released an update to address a critical security vulnerability affecting its FortiNAC network access control solution that could lead to arbitrary code execution.
tracked as CVE-2023-33299, the defect was rated 9.6 out of 10 for severity on the CVSS scoring system. This has been described as a case of deserializing untrusted Java objects.
“A deserialization untrusted data vulnerability (CWE-502) in FortiNAC allows unauthenticated users to execute unauthorized code or commands via specially crafted requests to the tcp/1050 service,” Fortinet said in an advisory published last week.
The deficiency impacts the following products, with a patch available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later –
- FortiNAC version 9.4.0 to 9.4.2
- FortiNAC version 9.2.0 to 9.2.7
- FortiNAC version 9.1.0 to 9.1.9
- FortiNAC version 7.2.0 to 7.2.1
- FortiNAC 8.8 all versions
- FortiNAC 8.7 all versions
- FortiNAC 8.6 all versions
- FortiNAC 8.5 all versions, and
- FortiNAC 8.3 all versions
Also resolved by Fortinet is a moderate severity vulnerability tracked as CVE-2023-33300 (CVSS score: 4.8), an improper access control problem affects FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1. Fixed in FortiNAC version 7.2.2 and 9.4.4.
Florian Hauser from German cybersecurity firm CODE WHITE has been credited with finding and reporting the two bugs.
The warning follows active exploitation of another critical vulnerability affecting FortiOS and FortiProxy (CVE-2023-27997, CVSS score: 9.2) that allowed a remote attacker to execute arbitrary code or commands via specially crafted requests.
Fortinet earlier this month acknowledged that the issue may have been abused in limited attacks targeting government, manufacturing and critical infrastructure sectors, prompting the US Cyber Security and Infrastructure Agency (CISA) to add it to its Known Exploitation Vulnerabilities (KEV) catalog.
It also comes more than four months after Fortinet addressed a severe bug in FortiNAC (CVE-2022-39952, CVSS score: 9.8) that could lead to arbitrary code execution. The flaw was actively exploited not long after proof-of-concept (PoC) became available.
In related development, Grafana has released a patch for a critical security vulnerability (CVE-2023-3128) that could allow a malicious attacker to bypass authentication and take control of any account using Azure Active Directory for authentication.
“If exploited, an attacker can gain full control of a user’s account, including access to customers’ personal data and sensitive information,” Grafana said. “If exploited, an attacker can gain full control of a user’s account, including access to customers’ personal data and sensitive information.”